From 7d05a239d29ea2402aab7f727e81c0588f46b45d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Thu, 11 Jul 2024 13:44:07 +0200 Subject: [PATCH] api: ACL update: fix handling of Permissions.Modify MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the PVE 8.0 major release, the scope of non-"Permissions.Modify"-based ACL update privileges were reduced (so that users with for example, VM.Allocate on a VM could only delegate their own privileges, but not arbitrary other ones). that additional logic had a wrong guard and was accidentally triggered for calls where the user had the "Permissions.Modify" privilege on the modified ACL path, but without propagation set. A user with "Permissions.Modify" on a path should be able to set arbitrary ACLs for that path, even without propagation. Reported on the forum: https://forum.proxmox.com/threads/151032/ Fixes: 46bfd59 ("acls: restrict less-privileged ACL modifications") Signed-off-by: Fabian Grünbichler --- src/PVE/API2/ACL.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PVE/API2/ACL.pm b/src/PVE/API2/ACL.pm index 93adb78..2a4d4ff 100644 --- a/src/PVE/API2/ACL.pm +++ b/src/PVE/API2/ACL.pm @@ -166,7 +166,8 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$cfg->{roles}->{$role}; - if (!$auth_user_privs->{'Permissions.Modify'}) { + # permissions() returns set privs as key, and propagate bit as value! + if (!defined($auth_user_privs->{'Permissions.Modify'})) { # 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases # filter those to only allow handing out a subset of currently active privs my $role_privs = $cfg->{roles}->{$role};